Skype tackles hack vulnerability that put accounts at risk

Skype on Surface computer Microsoft has been promoting the way Skype can be closely integrated into its new Windows 8 system

Related Stories

Skype has tackled a password reset flaw which could be exploited to hijack the video chat service's accounts.

The vulnerability was discussed on a Russian blog about three months ago, but was only tackled after details were shared on news discussion site Reddit.

The issue could have exposed answerphone messages, old text message conversations and user details including date of birth.

Skype said it had now resolved the issue.

"Early this morning we were notified of user concerns surrounding the security of the password reset feature on our website," said engineer Leonas Sendrauskas.

"This issue affected some users where multiple Skype accounts were registered to the same email address.

"We suspended the password reset feature temporarily this morning as a precaution and have made updates to the password reset process today so that it is now working properly.

"We are reaching out to a small number of users who may have been impacted to assist as necessary. Skype is committed to providing a safe and secure communications experience to our users and we apologise for the inconvenience."

Easy-to-use attack

A how-to-guide was first shared on Russian forum Xeksec.

It involves using a victim's Skype-registered email address to create a new account which is also linked to an email account owned by the attacker.

If a password change is then requested using the target's username, the hijacker can access the resulting reset token via the Skype app itself using the newly-created bogus log-in.

This can then be used to lock out the account's owner and access their details.

Skype blanks all but the last four digits of stored credit card accounts preventing the hackers from being able to steal cash, however they could have used up spare credit.

The security hole was confirmed by The Next Web which subsequently brought it to Skype's attention.

It follows on from a revelation last month that the program could be used to distribute malware via its instant message tool.

The news comes amid a campaign by Microsoft to convince members of its Windows Live Messenger chat tool to switch to Skype.

It plans to retire WLM by March 2013 across the world, with the exception of China.

More on This Story

Related Stories

The BBC is not responsible for the content of external Internet sites

More Technology stories

RSS

Features & Analysis

BBC Future

(Thinkstock)

How a fish inspired a supercar

Sailfish secrets take to the road Read more...

Programmes

  • A map of social media interactionsClick Watch

    Twitter's map of the Middle East conflict – how the two sides react to each other on social media

BBC © 2014 The BBC is not responsible for the content of external sites. Read more.

This page is best viewed in an up-to-date web browser with style sheets (CSS) enabled. While you will be able to view the content of this page in your current browser, you will not be able to get the full visual experience. Please consider upgrading your browser software or enabling style sheets (CSS) if you are able to do so.